Hello everyone,
I'm in process of writing an (OSS / Python) mail filter that would connect to
SA and statistical filter (statistical filter like DSPAM would clean mail first
since it has greater accuracy for spam words detection; SA would clean second
in line as it has great features like detection of spamvertised URLs that most
often get through statistical filters) to make spam filtering more effective.
For this purpose, I really, really need to run at least one Exim transport as
root, because I need to chown and chmod IMAP quarantine folders after those
folders are created and my filter subscribed a user to relevant quarantine
folder (well you can't count on every user subscribing to normally undisplayed
IMAP folder in webmail, it's the software that has to do this).
For this purpose I have this transport:
mailfilter:
driver = pipe
command = /etc/domeny/mailfilter -u
${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}} -d $domain -l
\"$local_part\" -i $sender_host_address -e
/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs
-s $message_size -a $sender_address -m $message_id -c $rcpt_count -t
$received_protocol -h "$acl_m_subject" -p $pipe_addresses
current_directory = "/tmp"
home_directory = "/tmp"
log_output
message_prefix =
message_suffix =
return_fail_output
no_return_path_add
user = root
group = mail
Later the "mailfilter" program reinjects the message traditional way (exim -oMr
protocol..), largely because there is no clean/safe way for now to modify the
message body during ACL scanning.
However, after I try to deliver smth into quarantine using this router and
transport:
quarantine_director:
driver = accept
condition = ${if eq{$received_protocol}{quarantine}{1}{0} }
domains = lsearch;/etc/virtual/domainowners
group = mail
retry_use_local_part
transport = quarantine_delivery
quarantine_delivery:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 770
envelope_to_add
directory =
/home/${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}/imap/${domain}/${local_part}/Maildir/.quarantine
maildir_format
group = mail
mode = 660
return_path_add
user = "${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}"
quota = ${if
exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain}/quota}{$value}{0}}}{0}}
..delivery fails with this message:
2007-11-01 19:26:55 1Inei2-0003NO-4S == [EMAIL PROTECTED] R=quarantine_director
T=quarantine_delivery defer (13): Permission denied: failed to open
tmp/1193941615.H533832P14301.da7.domeny.com (10 tries)
Delivery has been attempted by "mailfilter" using args like following:
/usr/sbin/exim -oMr quarantine -f [EMAIL PROTECTED] -bm [EMAIL PROTECTED]
So, questions:
1. What's wrong with this delivery? I mean, there obviously is a permission
issue with this tmp/... temporary mail file, but I have no idea where it's
located / how to fix this. And what has caused this?! After all, "mailfilter"
reinjected this
I have to run "mailfilter" transport as root, but this screws up delivery later
and I don't know how to fix this.
2. Should I design it for delivery of quarantined mail by my program or
configure Exim do it? Which is better?
3. Does Exim run as root while processing ACL or av_scanner=cmdline: conditions?
Opinions? Or, better yet, experiences and good arguments?
P.S. UNIX security model sucks. :-( They really should have implemented ACLs
instead of root / user model.
--
Marcin Krol
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
